Here at Ignyte, we talk a lot about the major governmental cybersecurity frameworks like FedRAMP and CMMC or the international framework ISO 27001. What we don’t talk about as much – but which is no less important – are smaller-scale or more limited frameworks. SOC is one such framework, and it’s extremely important for those who need it.
There’s also a lot of confusion surrounding it, both in business and as a layperson. What is SOC for? What’s the difference between SOC 2 and SOC 3? Let’s dig in and talk about them and how you should feel about them or use them.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontSOC (System and Organization Controls) audits assess an organization’s controls over security and privacy. SOC 2 and SOC 3 both evaluate security, availability, processing integrity, confidentiality, and privacy of data. SOC 2 provides detailed audit reports for internal use, while SOC 3 offers public reports. SOC 1 focuses on financial reporting, whereas SOC for Cybersecurity and SOC for Supply Chain address specific risk areas. SOC 2 Type II is most trusted for comprehensive security validation.
What is SOC?
SOC stands for System and Organization Controls. It’s a framework developed by an organization you might not expect: the AICPA or American Institute of Certified Public Accountants.
The AICPA stretches all the way back to 1887 and has gone through a number of name changes over the years. Unlike some professional organizations, AICPA is both firmly involved in their industry and sets the gold standard for many processes throughout it. They create and administrate the Uniform CPA Examination, they set the standards for professional CPAs, and they run public interest campaigns and political action committees.
Something more tangibly relevant and more familiar to many of us is their selection of trust and security projects. They co-developed WebTrust alongside the Canadian Institute of Chartered Accountants (their Canadian equivalent). It’s an assurance and auditing framework that competes with similar trust frameworks like VeriSign and BBB On-Line as one of the top-tier web-based trust indicators.
SOC 2 and SOC 3 are sometimes thought of as certifications, but they aren’t. Instead, they’re an auditing and assurance process that provides an attestation report, which can be used as proof of your security to interested parties. It’s a more flexible audit than a lot of the more rigid frameworks that lay out specific security controls (like anything based on NIST SP 800-171) while still providing a trustworthy overview of a business’s state of security.
While you generally hear of SOC 2 and SOC 3, there are technically five SOC services that CPAs certified by AICPA can provide. We’ll start with the big ones.
What is SOC 2?
SOC 2, as defined by AICPA directly, is a service:
“To provide service organization management, user entities, business partners, and other parties with information about controls at the service organization relevant to security, availability, processing integrity, confidentiality, or privacy to support understanding and managing the risks arising from business relationships with service providers.”
To translate this into something more digestible, SOC 2 is an organizational process outline identifying controls across five core principles. Those principles are Security, Availability, Process Integrity, Confidentiality, and Privacy of Customer Data.
AICPA provides auditing across these five domains, evaluating a business according to the controls they’ve outlined. Only one of them is mandatory to pass an audit, which is the Security domain. The others can be waived if the business does not need them. For example, if a business doesn’t handle confidential information at all, it can still pass an audit despite not implementing controls from the Confidentiality domain.
SOC 2 audits also come in two forms, called Type I and Type II. A Type I audit is a quick snapshot audit, the kind of audit you’re more used to from other frameworks. It looks at your business in its current state and provides an evaluation and report.
Type II audits, on the other hand, are ongoing long-term audits. They watch your business operations for 6-12 months and evaluate your performance across the relevant domains as you operate.
This provides an added benefit because it becomes impossible to falsify your security state. With snapshot audits, it can be possible to temporarily implement controls that you roll back later just to meet an audit. With the Type II audit, you don’t have room to hide. It’s dramatically more comprehensive but also much more time-consuming and expensive.
SOC 2 primarily focuses on building an information and data control framework. While there are some requirements for physical security and other elements that can impact information security, it’s not as comprehensive as something like ISO 27001 or CMMC.
What is SOC 3?
The definition for SOC 3 is at once simpler but less straightforward.
“To provide interested parties with a service auditor’s opinion about the effectiveness of controls at the service organization relevant to security, availability, processing integrity, confidentiality, or privacy.”
What does this mean? It sounds a lot more like something that involves an opinion rather than a more validated audit, but is it?
You can immediately see that it lists the same five domains as SOC 2. Indeed, SOC 3 is very similar to SOC 2. Internally – that is, from your point of view as the business undergoing the audit – SOC 2 and SOC 3 are essentially identical. They are the same kind of audit process, with the same list of controls across the same domains.
So, what’s the difference? The difference is in the final output of the audit.
With SOC 2, the final result is an attestation report. The auditor provides a detailed report of your security implementation throughout your business, looking into each of the relevant domains and evaluating all of the known factors identified in a SOC framework.
SOC 3 is identical internally but much less thorough externally. You can think of it sort of like a redacted version of your report. It leaves out technical details and information while still attesting that those details are in place and valid.
There are two main reasons for this difference.
- Some of the information included in a SOC 2 report could potentially expose details of systems that could empower attacks on those systems. An attacker who doesn’t know where the lock is has a harder time attacking it than one who can find the lock, right?
- Much of the information included in a SOC 2 report is simply too much for the intended audience of a SOC 3 report. The people likely to be looking at SOC 3 reports don’t necessarily have the technical understanding or knowledge base necessary to even know what they’re looking at, so it’s data that is both meaningless and opens up the possibility of being misinterpreted.
SOC 3 is an auditor saying, “This business is secure, trust me,” while SOC 2 is them saying, “This business is secure, and here’s proof.” They encompass the same data and the same detail; just one provides less information in the final report.
Another key difference is that where SOC 2 has Type I and Type II reports, SOC 3 only offers Type II reports.
All of this stems from the target audience.
SOC 2 reports are meant for internal use and use with partners and suppliers. They’re detailed reports that business partners can access as part of making a partnership deal or for establishing supply chains. They’re typically shared only under NDA and are kept confidential because of the detailed information they contain.
SOC 3 reports, meanwhile, are more aimed at the general public. While they aren’t typically posted openly on a website, customers can request them through a company’s contact without any special requirements.
Is there a SOC 1 or 4?
Up above, we said that there are five kinds of SOC, but no, there is not a SOC 4. There is a SOC 1, however, as well as two additional kinds of SOC reports that have narrower focuses.
SOC 1
SOC 1 has a similar definition to SOC 2 and SOC 3:
“To provide management of the service organization, user entities, and the independent auditors of user entities’ financial statements with information and a services auditor’s opinion about controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting.”
You don’t hear much about SOC 1. A lot of people who don’t know much about SOC assume that’s because it was replaced by SOC 2 or SOC 3, but it’s not a versioning thing.
SOC 1 is much narrower in scope than SOC 2 or SOC 3. It’s focused entirely on financial statements and financial reporting and validates the accuracy and reliability of financial information.
It’s also similar to SOC 2 in that it’s meant for internal use and for business partners, but specifically business partners where financial information is handled.
While this might seem out of place compared to SOC 2 and SOC 3, it makes more sense when you remember that AICPA is an organization of accountants; providing a validation audit for financial information is squarely in their wheelhouse, and the additional trust and security frameworks to come after are an expansion on that concept.
SOC for Cybersecurity
There’s no SOC 4, but there are two additional SOC services. The first is SOC for Cybersecurity.
“To provide general users with useful information about an entity’s cybersecurity risk management program for making informed decisions.”
This is a fairly new offering, having been introduced in 2017. It’s meant to be a cybersecurity audit and report framework, and in a way, it ends up similar to the other cybersecurity frameworks we talk about on our blog.
It’s generally more comparable to SOC 1 in that it has a narrower field of view and focuses on cybersecurity exclusively. Conversely, it’s also similar to SOC 3 in that it’s meant for general users and customers rather than NDA-locked or internal use by businesses.
SOC for Supply Chain
The fifth of the current slate of SOC attestation reports is SOC for Supply Chain.
“To provide specified users with information about the controls within the entity’s system relevant to security, availability, processing integrity, confidentiality, or privacy to enable users to better understand and manage the risks arising from business relationships with their supplier and distribution networks.”
Similar to SOC for Cybersecurity, this is a narrower report than a plain SOC 2 or SOC 3 report. However, unlike SOC for Cybersecurity, it’s more robust, covering the five domains just like SOC 2.
It’s simply more focused on supply chain relations rather than customer or user relations.
Which SOC is Best for Public Trust?
The question posed in the title of this post is which of these SOC reports is the best for building public trust.
Trust comes from two angles here: implicit and explicit.
For explicit trust – that is, trust that stems directly from the report – the answer is unquestionably SOC 3. It’s the only report, other than the SOC for Cybersecurity report, that is accessible to the general public upon request. Any other SOC report is either confidential, requires an NDA, or requires being a representative of a potential business partner with a vested interest in the data.
For implicit trust – trust that is built from the ambiance of knowing a security attestation is made, even if you don’t have the details – the SOC 2 report is generally the best. A Type II SOC 2 report is the most comprehensive kind of SOC report you can have. Even users who don’t know what it entails or why it’s valuable can at least know that SOC 2 is rigorous and trustworthy, so a business that has achieved a SOC 2 attestation is going to be trustworthy.
SOC 1, since it’s rarely discussed, is much less valuable for implicit trust. It’s extremely important among the business relationships that need it, but beyond that, it’s not too useful.
SOC for Cybersecurity and SOC for Supply Chain, meanwhile, are newer and narrower in a way that makes them less valuable for building trust.
Fortunately, the two best reports – SOC 2 and SOC 3 – stem from the same collection of data and can be achieved at the same time. To help, you can check out the Ignyte Platform, which can help you aggregate data and reports that your auditors will want to see. With the data at your fingertips, it’s easy to maintain reporting throughout a longer Type II report and get the best possible documentation of your security this side of CMMC. Just request a demo and get started today!
Dan Page is a seasoned Cybersecurity and Risk Management Executive known for advancing security programs aligned with complex regulatory frameworks and critical business objectives. With over 12 years in information security, his expertise began in the U.S. Army Signal Corps, where he led global communications and secured classified networks supporting Special Operations missions. Post-military, he specializes in security architecture for CUI, ITAR data, and federal cloud workloads. Currently, as Senior Cybersecurity Manager at Ignyte Assurance Platform, Dan guides organizations through compliance with CMMC, FedRAMP, ISO 27001, PCI, and NIST standards. A CISSP, CRISC, CISM, PMP, and ITIL-certified professional, he is also a cybersecurity lecturer and community volunteer advocating workforce development.